Listen to this Post
Introduction:
A seismic shift is unfolding in the world of cybercrime. As one dominant malware variant crumbles under law enforcement pressure, another swiftly rises to take its place. Meet Acreed — the emerging infostealer that may soon rule the dark web’s lucrative stolen credential market. With Lumma Stealer’s downfall in May 2025, threat actors are quickly rallying around this aggressive newcomer. This piece delves into Acreed’s sudden dominance, the current dynamics of Russian Market (a major dark web platform), and what this all means for businesses navigating today’s cybersecurity landscape.
Dark
ReliaQuest’s latest threat intelligence report has identified Acreed as the fastest-growing infostealer in the cybercriminal world, filling the vacuum left by the takedown of Lumma Stealer in May 2025. Until recently, Lumma — also known as LummaC2 — was responsible for a staggering 92% of all credential theft log alerts on Russian Market, the most prominent dark web marketplace for buying and selling stolen credentials.
Following a global law enforcement operation that led to the seizure of over 2,300 Lumma-related domains, the criminal underground was forced to shift. Acreed has now taken center stage, overtaking long-standing players like RedLine, Raccoon, StealC, and Vidar.
Russian Market itself has become a stronghold in the underground economy. It gained popularity in 2022 and survived takedowns that shuttered competitors like Genesis Market in 2023. Known for its user-friendly design and low-cost logs (often priced at just \$2), it continues to attract cybercriminals across the globe.
ReliaQuest’s deep dive into Russian Market data revealed that much of the stolen credential information is duplicated across multiple platforms. In 2024 alone, they detected over 136,000 alerts tied to customer domains listed on Russian Market. Alarmingly, 61.19% of the logs were associated with SaaS solutions, and nearly 77% likely contained SSO credentials — a critical gateway for enterprise systems.
Industries most targeted included professional, scientific, and technical services (accounting for 30% of all credential logs), followed by the information sector (28%). As of May 2025, more than 50,000 alerts had already been triggered this year, reinforcing the ongoing threat of credential theft across sectors.
What Undercode Say:
The meteoric rise of Acreed underscores a critical trend in cybercrime: malware ecosystems are fluid, highly adaptable, and market-driven. When one major tool collapses, another is waiting in the wings, often more potent and refined.
Acreed’s ascension isn’t just about replacing Lumma —
Moreover, Russian Market’s continued success after the fall of competitors like Genesis Market proves that cybercriminal infrastructure can’t be easily dismantled. The platform’s ease of use, affordability, and recycled content model make it incredibly resilient. Even with multiple global crackdowns, marketplaces like Russian Market evolve quickly, often becoming more efficient and harder to monitor.
The predominance of SaaS and SSO credentials in stolen data shows that attackers are targeting the heart of enterprise operations. Single sign-on credentials, in particular, are a goldmine — giving access not just to one system, but potentially dozens of interconnected services. This reflects a strategic shift in cybercrime tactics: attackers are aiming for quality over quantity, seeking the highest value credentials with the widest possible access.
Organizations, especially in tech-heavy sectors, need to take note. Traditional perimeter defenses won’t stop credential-based attacks. Zero Trust architectures, user behavior analytics, real-time alerting, and employee education must become standard in every cybersecurity strategy.
Another worrying trend is the recycling of credential logs. With 85% of the stolen data appearing across multiple sources, businesses face the added challenge of identifying and remediating breaches that may not even be recent. This extends the lifetime of a credential breach, making incident response more complex and time-sensitive.
The fact that over 50,000 alerts have been raised in just the first five months of 2025 should be a wake-up call. This is not a shrinking threat — it’s one that’s expanding, evolving, and thriving despite enforcement efforts. Cybercrime is no longer just opportunistic; it’s industrialized, with ecosystems that mirror legitimate tech business models.
In essence, Acreed represents not just a new threat, but a new chapter in the evolution of the dark web economy.
Fact Checker Results:
✅ Lumma Stealer was responsible for 92% of credential theft logs on Russian Market before being shut down in May 2025
✅ Acreed is now the leading infostealer replacing Lumma across dark web platforms
✅ Over 50,000 credential alerts were triggered in just the first five months of 2025 📊🔐💣
Prediction:
With Acreed on the rise, expect to see a new wave of credential thefts targeting cloud services and enterprise tools over the next six months. As this strain gains traction, malware developers will likely introduce advanced variants with built-in evasion capabilities. Law enforcement will respond, but the next takedown will only fuel the cycle — leading to even more adaptive and elusive threats. For organizations, the focus must shift from passive defense to proactive detection, before access logs turn into ransom demands.
References:
Reported By: www.infosecurity-magazine.com
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia
Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
